quasar | GhostShop[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

GhostShop.exe
Size

3.3MB
MD5

71836a9d475bc76d205bfe493904653b
SHA1

dbeb1f6a091594d49548f84eb9e8a70c2025d673
SHA256

37d2321800b1980716f7e33d52d0d299af94e2371a3bdb3bdcaa3ea02dec00bb
SHA512

f5c6178caa640fe646916ebe999e4074697f3c6c72f8277d222b58b6c01727c2d962b13c5dbd4c28d574c5d898f35e32e73b47df0697108ff1c7ade9fb4b6957
SSDEEP

49152:imEnyhcFEEfm1CW2tQlmcX6D6DEEUi2HHNPTHHB72eh2NT:imLhcSEfm1CW2tQlmcX6+Ns

Score

10^/10

skid quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

skid

C2

147.185.221.20:18563

147.185.221.20:9835

Mutex

c40110c3-1738-475c-9ecd-2dfda1c0bc70

Attributes

encryption_key
9E968F05BD874BA1BE086FD1774A027473823F49
install_name
Windows Host Process.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Host Process
subdirectory
Windows

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
GhostShop.exe

Files

GhostShop.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 181KB - Virtual size: 180KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ